openerp-expert-framework team mailing list archive
-
openerp-expert-framework team
-
Mailing list archive
-
Message #00312
[RFC] context context in forms, views etc.
There is a new phenomenon, like a bug, that has been triggered in my version
of the server. I believe, at this point, it calls for some discussion:
In an attempt to tighten security of pythonic code, I have replaced instances
of eval() with one safe_eval(), customized to /not/ expose dangerous functions
(did you know that 'import' can be called through eval() ? )
Anyway, as expected, this is incompatible with some context expressions found
in forms/views.
Notably, now, in stock/product_view.xml:product.search.stock.form, we have a
context like {'location': self } . Really, what is that supposed to mean? How
is it used? Isn't 'self' the product.product class? Will it always be the
project, if that search form is eg. included in some inherited object somehow?
other contexts that I will have to re-enable at the safe_eval are like
{ 'category': category.id } . Clear.
Major question is: what objects should be exposed at the context of the eval()
of the context? (confused wording? )
Do we have a definite guide of what's available at that context's context?
Should we note that at the developer's book, so that view designers know how
to form the context strings?
Proposition (beware: API change): use a very strict, and well defined set of
objects that will be defined at a context (or domain) dict. Don't use the
'self' notation (because it's a keyword), better use "this" (in honour of C++)
and let "this" be a dict of the parent class's browsable objects. Note down
requirements for forms, so that we make available the necessary information at
the context. Be careful, if possible, not to expose objects that will give
access to third functions (like <obj>.pool.get('res.users')...)
Please, I expect your comments on that.
Follow ups